| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 01 Dec 2013 20:14:37 +0200
From: Ivajlo Dimitrov <ivo.g.dimitrov.75@...il.com>
To: Dan Carpenter <dan.carpenter@...cle.com>,
Pavel Machek <pavel@....cz>
CC: Pali Rohá <pali.rohar@...il.com>,
Greg KH <gregkh@...uxfoundation.org>,
Ивайло Д <freemangordon@....bg>,
sre@...g0.de, omar.ramirez@...itl.com, tony@...mide.com,
felipe.contreras@...il.com, s-anna@...com, nm@...com,
ohad@...ery.com, stable@...r.kernel.org,
linux-kernel@...r.kernel.org, nico@...lde.de
Subject: Re: [patch] Staging: tidspbridge: make mmap root-only so it is not
a security problem
On 01.12.2013 14:27, Dan Carpenter wrote:
> On Sun, Dec 01, 2013 at 01:10:06PM +0100, Pavel Machek wrote:
>> diff --git a/drivers/staging/tidspbridge/rmgr/drv_interface.c b/drivers/staging/tidspbridge/rmgr/drv_interface.c
>> index 1aa4a3f..a8e86cf 100644
>> --- a/drivers/staging/tidspbridge/rmgr/drv_interface.c
>> +++ b/drivers/staging/tidspbridge/rmgr/drv_interface.c
>> @@ -258,7 +258,17 @@ err:
>> /* This function maps kernel space memory to user space memory. */
>> static int bridge_mmap(struct file *filp, struct vm_area_struct *vma)
>> {
>> - u32 status;
>> + int status;
>> + struct omap_dsp_platform_data *pdata =
>> + omap_dspbridge_dev->dev.platform_data;
>> + unsigned long start = vma->vm_pgoff << PAGE_SHIFT;
>> +
>> + if (start < pdata->phys_mempool_base)
>> + return -EINVAL;
>> +
>> + if (vma->vm_end - vma->vm_start + (start - pdata->phys_mempool_base)
>> + > pdata->phys_mempool_size)
> This test is vulnerable to integer overflows if you pick a very high
> value for start. Consider using the vm_iomap_memory() helper function
> instead of calling remap_pfn_range() directly. Commit 7314e613d5ff
> ('Fix a few incorrectly checked [io_]remap_pfn_range() calls') has an
> example of how the conversion works.
>
> regards,
> dan carpenter
>
Dan,
If that one looks fine, I'll send a correctly formatted patch.
Pavel - feel free you to do it, I don't want to "steal" your bug :) .
Patch tested with Maemo5 on n900:
diff --git a/drivers/staging/tidspbridge/rmgr/drv_interface.c
b/drivers/staging/tidspbridge/rmgr/drv_interface.c
index 1aa4a3f..2d500ea 100644
--- a/drivers/staging/tidspbridge/rmgr/drv_interface.c
+++ b/drivers/staging/tidspbridge/rmgr/drv_interface.c
@@ -258,8 +258,9 @@ err:
/* This function maps kernel space memory to user space memory. */
static int bridge_mmap(struct file *filp, struct vm_area_struct *vma)
{
- u32 status;
-
+ struct omap_dsp_platform_data *pdata =
+ omap_dspbridge_dev->dev.platform_data;
+
/* VM_IO | VM_DONTEXPAND | VM_DONTDUMP are set by remap_pfn_range() */
vma->vm_page_prot = pgprot_noncached(vma->vm_page_prot);
@@ -268,13 +269,9 @@ static int bridge_mmap(struct file *filp, struct
vm_area_struct *vma)
vma->vm_start, vma->vm_end, vma->vm_page_prot,
vma->vm_flags);
- status = remap_pfn_range(vma, vma->vm_start, vma->vm_pgoff,
- vma->vm_end - vma->vm_start,
- vma->vm_page_prot);
- if (status != 0)
- status = -EAGAIN;
-
- return status;
+ return vm_iomap_memory(vma,
+ pdata->phys_mempool_base,
+ pdata->phys_mempool_size);
}
static const struct file_operations bridge_fops = {
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists